Setting Up SCIM 2.0 User Provisioning and Deprovisioning with MS Entra

What is User Provisioning with SCIM?

SCIM is an open standard that automates user management from an IDP and a SaaS service provider, in this case, Loopio. With our SCIM implementation, you are able to automatically provision (create a Loopio user directly within the IDP.

Prerequisites

• You currently use MS Entra for your user management needs
• You have SAML SSO enabled with Loopio. If you are already using SSO, steps 1-3 below may already be completed

Step 1: Access the Microsoft Entra Portal

1. Navigate to the Microsoft Entra portal
2. Sign in with your administrator credentials

Step 2: Register a New Application in MS Entra

1. In the left-hand menu, select Application > Enterprise applications
2. Click + New Application
3. Click + Create your own application

4. Fill in the application details:

   • What's the name of your app?: Enter a name for your app
   • What are you looking to do with your application?: Choose the “Integrate any other application you don’t find in the gallery (Non-gallery)”

   

5. Click Create
6. After registration, you’ll be taken to the app overview page

Step 3: Configure Single Sign-On Settings

1. In the left-hand menu, select Application > Enterprise applications
2. Select your application
3. Select Single sign-on from the application left-hand menu
4. Select SAML
5. Configure the “Basic SAML Configuration” as per below screenshot
   • Identifier (Entity ID): loopio-sp
   • Reply URL (Assertion Consumer Service URL): https://LOOPIOURL/sso_saml/module.php/saml/sp/saml2-acs.php/loopio-sp
    

   Learn more: What is my Company's Loopio URL?

6. Download the SSO settings XML file from the “Federation Metadata XML” section. We will use this XML file to configure the “SAML SSO settings” in Loopio.

Step 4: Generate the token for SCIM from the Loopio Dashboard

1. In Loopio, access the Admin page
2. Select the Integrations tab
3. In the User Management section, on the SCIM tile, click Generate Token
   
4. Copy this token to configure the provisioning in Entra

Step 5: Configuring the SCIM Provisioning in Entra

1. In Entra, in the left-hand menu, select Application -> Enterprise applications.
2. Select your application created in step 2 above
3. Select Provisioning from the left menu
4. Again, click on Provisioning from the left menu
5. Under Provisioning Mode, select Automatic

6. Enter the SCIM API endpoint and authentication credentials provided by the target application

   •  Tenant URL: https://api.loopio.com/scim/entra (You need to add the tenant URL according to your Loopio environment)
   • Secret Token: Paste the token that was generated in the previous step

   

7. Click Test Connection to verify connectivity
8. Save the configuration
9. Refresh the page

Step 6: Set the Attribute Mapping for Provisioning

1. Click Provisioning in the left menu of the application
2. Click Attribute Mapping (Preview) (Note: If the 'Attribute Mapping' menu isn’t enabled, please refresh the page manually.
3. Select Provision Microsoft Entra ID Users

4. Add/update the below attributes

   

5. Save those changes

Attributes

Step 7: Create the Role for your Application

Create a new user role for your Entra application. These roles should match Loopio’s user roles.

1. In the left-hand menu, select Application > App registrations
2. Select your application from all app lists
3. Select the App roles from the left menu
4. Click Create app role

5. Follow the steps as per below screenshot and select Allowed member types as “Users/Groups” while creating the role

   • Display name: Should match a Role name in your Loopio account (eg Library User)
   • Allowed member types: Users/Groups
   • Value: Replace the spaces in the Loopio Role name with underscores (eg Library_User)
   • Description: The role description is for internal reference only and is not displayed to users

   

6. Once you’ve created all the roles, refresh the page

Step 8: Assign users to the application

1. In the left-hand menu, select Application > Enterprise applications
2. Select your application
3. Go to the Users and groups menu
4. Click + Add user/group
   
5. Select the Users
   
6. Select a Role for those Users. If the 'Select a Role' option isn’t enabled, please refresh the page manually
   
7. Click Assign

Step 9: Start the Provisioning

1. In the left-hand menu, select Application > Enterprise applications
2. Select your application
3. Select Provisioning from the left menu
4. Click Overview (Preview)
5. Click Start provisioning

Step 10: Monitoring Provisioning Log

• Navigate to the Provisioning Logs section to monitor provisioning activities
• Use the Audit Logs in Entra ID for troubleshooting

Step 11: Troubleshooting Common Issues

• Failed Connections: Verify the SCIM endpoint and authentication details
• Sync Errors: Check logs for detailed error messages and adjust attribute mappings
• User Not Provisioned: Ensure the user is assigned to the application

Migration

• If you have a user in Loopio, you should also have the same user in Entra
• If the user does not exist in Entra, please create the user in Entra. You can follow the steps in the link below to create a user in Entra: https://learn.microsoft.com/en-us/entra/fundamentals/how-to-create-delete-users
• If the user exists in Entra, assign them to the Loopio app as explained in Step 8

Note

• Users should have below valid details:
  • First name (Required)
  • Last name (Required)
  • User Role (Must have a valid role)